Even if your startup is in Houston or Dallas your startup may need to comply with GDPR under certain circumstances. Here’s what to do.
Figure out which role you play under GDPR
You’re a controller if you decide the purposes and means of processing. You’re a processor if you—wait for it—process personal data. Keep in mind that it is possible to be both a controller and a processor.
Adopt GDPR principles
You must abide by these principles under GDPR: that data is processed lawfully & fairly, that there’s a purpose limitation, that data is not excessively collected (minimization), that the data is accurate, that you implement ideas of storage limitation, and that processing is done confidentially and with integrity,
Implement technical and organizational safeguards
Your startup needs be properly capable and beefed up to handle data/data processing.
Make appointments under GDPR
You may have to assign a Data Processing Officer if you regularly process data or if you handle sensitive data; also assign a representative (similar to a corporate registered agent for business filings but in the EU for data protection purposes).
Allow data subjects to exercise their rights
Under GDPR data subjects have certain rights to their data. Make sure you allow them to exercise these rights. Remember that some rights will be unavailable depending on the basis used for processing.
Make sure contracts, privacy policy, etc. are properly in place
There are relationships you’ll need to tend to—between the data subject, controller, and processor. See here for what you need in those documents.
Maintain good records
Depending on the size of your organization you may need to keep good records of processing activities. It’s a smart idea to keep records regardless.
Report if you have any breaches or if there are other issues
You have a duty to report breaches and other issues under GDPR.
Review this article to make sure you’re understanding is well-rounded
Remember—bits and pieces of information are largely useless. Make sure you have a good organized understanding of all of this. Read this article for an overview of GDPR.